This security update resolves four privately reported vulnerabilities in Microsoft Exchange Server. The most severe of these vulnerabilities could allow elevation of privilege if a user clicks a specially crafted URL that takes them to a targeted Outlook Web App site. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website, and then convince them to click the specially crafted URL.

This security update is rated Important for all supported editions of Microsoft Exchange Server 2007, Microsoft Exchange Server 2010, and Microsoft Exchange Server 2013. For more information, see the Affected Software section.

The security update addresses the vulnerabilities by ensuring that Outlook Web App properly validates request tokens and by ensuring that URLs are properly sanitized. For more information about the vulnerabilities, see the Vulnerability Information section.

The following software versions or editions are affected. Versions or editions that are not listed are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Does this update contain any non-security related changes to functionality? No, Exchange Server 2013 Security Updates only contain fixes for the issue(s) identified in the security bulletin.

Update Rollups for Exchange Server 2007 and Exchange Server 2010 may contain additional new fixes. Customers who have not remained current in their deployment of the cumulative update rollups may experience new functionality after applying this update.

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the December bulletin summary.

Outlook Web App Token Spoofing Vulnerability - CVE-2014-6319

A token spoofing vulnerability exists in Exchange Server when Microsoft Outlook Web App (OWA) fails to properly validate a request token. An attacker who successfully exploited this vulnerability could then use the vulnerability to send email that appears to come from a user other than the attacker (e.g., from a trusted source). Customers who access their Exchange Server email via Outlook Web App are primarily at risk from this vulnerability. The update addresses the vulnerability by ensuring that Outlook Web App properly validates request tokens.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued. The update addresses the vulnerability by ensuring that Outlook Web App properly validates request tokens.

Mitigating Factors

In a web-based attack scenario, an attacker could host a website that is used to attempt to exploit this vulnerability. In addition, compromised websites and websites that accept or host user-provided content or advertisements could contain specially crafted content that could exploit this vulnerability. In all cases, however, an attacker would have no way to force users to view attacker controlled content. Instead, an attacker would have to convince users to take action, typically by getting them to click a link in an email message or Instant Messenger message that takes users to the attacker’s website.

Workarounds

Multiple OWA XSS Vulnerabilities

Elevation of privilege vulnerabilities exist when Microsoft Exchange Server does not properly validate input. An attacker who successfully exploited these vulnerabilities could run script in the context of the current user. An attacker could, for example, read content that the attacker is not authorized to read, use the victim's identity to take actions on the Outlook Web App site on behalf of the victim, such as change permissions and delete content, and inject malicious content in the browser of the victim. Any system that is used to access an affected version of Outlook Web App would potentially be at risk to attack. The update addresses the vulnerabilities by ensuring that URLs are properly sanitized.

For these vulnerabilities to be exploited, a user must click a specially crafted URL that takes the user to a targeted Outlook Web App site.

In an email attack scenario, an attacker could exploit the vulnerabilities by sending an email message containing the specially crafted URL to the user of the targeted Outlook Web App site and convincing the user to click the specially crafted URL.

In a web-based attack scenario, an attacker would have to host a website that contains a specially crafted URL to the targeted Outlook Web App site that is used to attempt to exploit these vulnerabilities. In addition, compromised websites and websites that accept or host user-provided content could contain specially crafted content that could exploit these vulnerabilities. An attacker would have no way to force users to visit a specially crafted website. Instead, an attacker would have to convince them to visit the website, typically by getting them to click a link in an email message or Instant Messenger message that takes them to the attacker's website, and then convince them to click the specially crafted URL.

The following table contains links to the standard entry for each vulnerability in the Common Vulnerabilities and Exposures list:

Mitigating Factors

Workarounds

Microsoft has not identified any workarounds for these vulnerabilities.

Exchange URL Redirection Vulnerability - CVE-2014-6336

A spoofing vulnerability exists in Microsoft Exchange when Microsoft Outlook Web App (OWA) fails to properly validate redirection tokens. An attacker who successfully exploited this vulnerability could redirect a user to an arbitrary domain from a link that appears to originate from the user’s domain. An attacker could use the vulnerability to send email that appears to come from a user other than the attacker. Customers who access their Exchange Server email via Outlook Web App are primarily at risk from this vulnerability. The update addresses the vulnerability by ensuring that URLs are properly sanitized.

Microsoft received information about this vulnerability through coordinated vulnerability disclosure. When this security bulletin was issued, Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued. The update addresses the vulnerability by ensuring that URLs are properly sanitized.

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

V2.0 (December 10, 2014): Revised bulletin to remove Download Center link for Microsoft security update 2986475 for Microsoft Exchange Server 2010 Service Pack 3 to address a known issue with the update. Microsoft is working to address the issue, and will update this bulletin when more information becomes available. Microsoft has removed update 2986475 and recommends that customers uninstall update 2986475 if they have already installed it.

V3.0 (December 12, 2014): Rereleased bulletin to announce the reoffering of Microsoft security update 2986475 for Microsoft Exchange Server 2010 Service Pack 3. The rereleased update addresses a known issue in the original offering. Customers who uninstalled the original update should install the updated version of 2986475 at the earliest opportunity.